How to Connect to AWS RHUI Outside Yum

Resolution

Because AWS RHUI only serves content to authorized AWS RHUI clients, bare HTTP(S) requests are denied. In addition, a custom CA is used, which HTTP clients may not trust. You need the following data to be able to communicate with AWS RHUI successfully:

1. RHUI CA certificate, which allows your client to trust the web server that hosts RHUI. (This is not really a must, as you can instruct your HTTP client not to check the server certificate, but this is not recommended as doing so may hide an issue that yum may encounter.)
2. Repository entitlement certificate, which grants you access to the repository in question.
3. Repository entitlement key, which is a private key needed together with the certificate.
4. AWS instance identity document, which identifies the instance that communicates with RHUI.
5. AWS instance identity signature, which authorizes the instance.

The last two items are not needed in RHUI environments other than AWS; for example, a customer's RHUI.

Lastly, you need a URL to check. It can be the base URL / mirror list of a repository of your choice, the URL of a specific metadata file or RPM package, or a directory that you want to examine. Note that not all directories can be viewed.

Now log in to a RHEL AWS instance, become root (only root can read the required certificates), and check the /etc/yum.repos.d/redhat-rhui.repo file, or another redhat-rhui*.repo file in the same directory if working with a layered product. This is an INI file containing sections for all entitled repositories. Each section contains, among other things, the following options:

• mirrorlist=URL with REGION
• sslcacert=path
• sslclientcert=path
• sslclientkey=path

You may, for example, want to troubleshoot the AppStream RHEL 8 repository. To do so, find the section called [rhel-8-appstream-rhui-rpms]. To simplify the troubleshooting, just copy and paste the lines corresponding to the options above into your shell so that you have all this information as environment variables, but define releasever and basearch first, and replace REGION with the AWS region the instance is running in. In the case of RHEL 8 running on x86_64, first run the following commands in the shell of the instance:

releasever=8
basearch=x86_64

Then, for example, if you are in us-east-1, and the value of themirrorlist option is https://rhui.REGION.aws.ce.redhat.com/pulp/mirror/content/dist/rhel8/rhui/$releasever/$basearch/appstream/os, run:

mirrorlist=https://rhui.us-east-1.aws.ce.redhat.com/pulp/mirror/content/dist/rhel8/rhui/$releasever/$basearch/appstream/os

Use a different region in the URL if your instance is somewhere else.

Note: If your instance is in a GovCloud region, use the following public region instead:

This is because RHUI is not available in GovCloud regions, and the hostname in the mirrorlist variable would be invalid.

Then run:

sslclientkey=/etc/pki/rhui/content-rhel8.key
sslclientcert=/etc/pki/rhui/product/content-rhel8.crt
sslcacert=/etc/pki/rhui/cdn.redhat.com-chain.crt

(Use the paths that are used with the repository that you are checking; they will be different for other RHEL versions or for layered products.)

Obtaining the AWS ID and signature is not so easy. The following Python code is supposed to help:

from base64 import urlsafe_b64encode as enc
import requests
i = requests.get("http://169.254.169.254/latest/dynamic/instance-identity/document")
ID = enc(i.text.encode()).decode()
s = requests.get("http://169.254.169.254/latest/dynamic/instance-identity/signature")
SIG = enc(s.text.encode()).decode()
print("rhui_id=%s\nrhui_signature=%s\n" % (ID, SIG))

This code should work in all RHEL versions where Python 2 or 3 is installed. To execute it, run python (or /usr/libexec/platform-python on vanilla RHEL 8 VMs) and paste the code into the prompt. Upon successful execution, you get the last two pieces of the puzzle. Here is a trimmed output that you can get:

rhui_id=abc
rhui_signature=xyz

Exit the python interpreter (CTRL+D), and copy and paste the two lines into the login shell, where you already have the previously defined variables. You should be all set now, and the following command should be able to communicate with AWS RHUI just like Yum, but with extra debugging information:

curl -v -L --header "X-RHUI-ID: $rhui_id" --header "X-RHUI-SIGNATURE: $rhui_signature" --cacert $sslcacert --cert $sslclientcert --key $sslclientkey $mirrorlist

However, what you get is just a mirror list, ie. plain-text output that contains the final URL(s) (in the case of RHUI 3 there should be only one URL), for example:

https://rhui.us-east-1.aws.ce.redhat.com/pulp/content/content/dist/rhel8/rhui/8/x86_64/appstream/os

Therefore, to access the actual contents, re-run the curl command but replace $mirrorlist with the printed URL concatenated with /repodata/repomd.xml or /Packages/FIRST_LETTER/PACKAGE_NVRA.rpm if you are looking for a particular package, though in this case consider using -O to instruct curl to save the response to a file, or else your terminal will likely be flooded by a stream of not-necessarily-human-readable bytes that comprise the requested RPM file.

Note: if you prefer wget, use:

• -O - instead of -v -L (or nothing if requesting binary contents such as an RPM file)
• --ca-certificate instead of --cacert
• --certificate instead of --cert
• --private-key instead of --key